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ABSTRACT 

In a phased mission the relevant system configuration (block 
diagram or fault tree) changes during consecutive time periods 
(phases). Many systems are required to perform phased missions; a 
classic example is a spacecraft. 

The reliability analysis of a phased mission encounters complexi- 
ties not present with just one phase, but can be transformed into an 
analysis of an equivalent synthetic single-phase system. The trans- 
formation has a potential for direct application, but can also be used 
to study refined computational methods and to derive approximations 
to, and bounds on, mission reliability. 
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1, INTRODUCTION 



1.1 BACKGROUND 

Among the various areas of applied probability theory and statis- 
tics which jointly have become known as reliability theory, structural 
reliability^ " is the study of qualitative and quantitative relationships 
between the reliability of (redundant) systems and the reliability of 
their components. Reliability in the sense used here is the probabi- 
lity of a device performing its purpose adequately for the period of 

2 

time intended and the operating conditions encountered." 

The problem of constructing reliable systems by using relatively 
unreliable components redundantly was first studied by von Neumann 
1 1956 J « iioore and Shannon [1956], inspired by the von Neumann paper, 
analyzed relay circuits in which all relays have the same reliability. 
They proved that the reliability of the circuit is an S-shaped function 
of the common relay reliability, and subsequently showed that by pro- 
per incorporation of redundancy, arbitrarily reliable circuits can be 
constructed from arbitrarily unreliable elements. Their analysis pro- 
ceeded from a mathematical result which has come to be called the 
"Moore-Shannon inequality." Birnbaum, Esary, and Saunders [1961] 
generalized the concepts and extended some of the results of Hoore 

and Shannon, including the S-shapedness property, tto the large class 

3 

of "coherent 51 systems, using Boolean functions to describe the func- 

4 

tional organization of systems. Esary and Prosctnan [1963] further 
extended the Moore-Shannon inequality to the case to.f unequal component 
reliabilities, and obtained convenient upper and Trower bounds on 
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system reliability. With the subsequent introduction of the con- 
cept of "system life"^ [Esary and Marshall 1964], a theoretical basis 
for the reliability analysis of complex systems was complete. 

Recent and ongoing research seems to follow mainly two lines. On 
one hand, the theoretical basis is broadened, more realistic and hence 
more complex situations are considered, and attempts to do without 
some of the restrictive assumptions^ presently required are made. On 
the other hand, approximation techniques and computational procedures 
are explored with a view toward their implementation on digital com- 
puters. 

One specialized area of interest is the extension of the basic 
problem of structural reliability to the situation in which the func- 
tional organization of a system changes with time. This situation, 
called the phased mission problem, is the topic of this thesis. 

1.2 THE PHASED MISSION PROBLEM 

The reliability analysis of phased missions has received attention 
in the basic papers of Rubin [1964] and Weisberg and Schmidt [1966] 
which present procedures to approximately predict mission reliability 
and crew safety for manned spacecraft. These authors introduced a 

g 

method of "cut cancellation" which can be advantageously used to 
simplify the structure of a system prior to beginning reliability 
calculations. More recently, a similar approach is described in the 
United States Navy reliability manual NAVORD OD 29304 Revision A 

9 

[1973]. Muth [1964], in an unpublished report, approached the 
problem from a different angle, concentrating on "success paths. 
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The phased mission problem as considered here refers to the 



following situation: 

A system consists of several components . The components perform 
independently of each other, and each of them can be in one of 
two states, functioning or failed . No component can be repaired 
or replaced, and each component has a life .~^ The system performs 
a mission which can be divided into consecutive time periods, or 
phases . During each phase it has to accomplish a specified task. 
Thus the system configuration (a subset of the components and their 
functional organization which can be represented, for instance, by 
a block diagram or a fault tree) changes from phase to phase. As 
is the case with individual components, only two states of the 
system are recognized, functioning or failed. 

With this situation in mind, the problem itself can be stated as: 

Given the survival characteristics of the components, the rele- 
vant system configuration in each phase, and the duration of the 
. phases, what is the probability that the system will function 
throughout the mission, i.e. the mission reliability for the 
system? 

The classic example of a phased mission is the voyage of a space 

12 

vehicle, but many other systems are also required to perform phased 

missions. To illustrate the ideas and methods of this thesis, the 

13 

following hypothetical situation will frequently be considered. 
Example 1.1 . A fire department has three vehicles: 

- a multipurpose fire engine (M) , 

- a tanker (T) , 

- a light fire truck (L) , 
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The firefighting equipment of a small chemical factory located 
nearby consists of: 

- a sprinkler system (S), 

- a hydrant (H) , 

- a special apparatus for fighting chemical fires (F) . 

The plant safety engineer wonders whether the combined hardware 
resources of the fire department and the factory are sufficient to 
fight a fire in the factory* He consults the fire chief, and together 
they conclude: 

(1) During the initial stage of a fire either the multipurpose 
engine, which carries a small water supply, or the light truck, pro- 
vided the sprinkler system works, suffices to evacuate the building. 

(2) To contain the fire the factory’s special apparatus is 
needed, together with some auxiliary capability from the multipurpose 
engine or the light truck. Water can be supplied to the special 
apparatus and the department’s units by the hydrant, or if it is out 
of order, by the tanker through pumps in the multipurpose engine. 

(3) After the fire has been contained it can be controlled 
either by the special apparatus or the multipurpose engine. Again, 
water can be supplied by the hydrant or by the tanker together with 
the multipurpose engine. □ 

The firefighting system described above has six components, and 
it has to perform a three-phased mission. If it fails in even one 
of the three phases, the mission is not accomplished. 

1.3 SOME COMPLEXITIES OF THE PHASED MISSION PROBLEM 

The reliability analysis of a phased mission encounters some 
complexities which are not present when only one phase is considered. 
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For one thing, it is not correct to do a standard reliability 
analysis for each phase separately, and then multiply the resulting 
phase reliabilities together, even if the age of the components at 
the beginning of each phase is taken into account. The implicit 
assumption involved, that each component is functioning at the begin- 
ning of a phase when the system has functioned throughout the previous 
phase, is not necessarily true. The following example illustrates 
this point. 

Example 1.2 . A system with two independent components, 
and is designed for a two-phased mission. In order for the 

system to perform the required tasks, at least one component has to 
function through phase 1 and both components have to function through 
phase 2. The block diagram for this system is 




phase I phase 2 



For k=l,2, let tt ^ denote the probability that component 
functions through phase 1, and tt denote the conditional proba- 
bility that component functions through phase 2, given that it 

has functioned through phase 1. The system reliability for phase 1 
is 4- k - tt h 7T 21 * and the s y stein reliability for phase 

2, given that both the components have functioned through phase 1, 
is ^2 ~ ti 12 tt 22 * Multiplying these together would lead to the 
mission reliability 
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ll 7T 2i ;7r 12 Tr 22 ' 



This is greater than the correct mission reliability, which is 




since mission success is achieved if, and only if, both components 
function throughout both phases. □ 

The multi-phase case is potentially different from the single- 
phase case in another respect. With just one phase, if each component 

has a life and the system configuration is coherent, then the system 
14 

has a life. In the multi-phase case this is not necessarily true. 
Even if all comppnents have lives and all phase configurations are 
coherent, the system may not have a life. How this can happen is 
shown in the next example. 

Example 1.3 . A two-component system is designed for a two-phase 
mission with the phase configurations represented by the block 
diagram 



a probability (1 - tt^) tt 21^22 s Y stem fails in phase 1, but 

functions again in phase 2. In this sense the system does not have 
a life. □ 

The possible resurrection of a system in a later phase does not 





phase I 



phase 2 




present a problem in the reliability analysis of phased missions if 
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It is assumed that the life of the system ends at the time of its 
first failure. This assumption is reasonable since failure of the 
system in even one phase usually prevents mission success, and will 
always be made here. By contrast, the possible resurrection of a 
component would pose a much more serious problem, and is ruled out by 
the assumption that all components have lives. 



1.4 NON-ANALYTIC WAYS TO EVALUATE PHASED MISSIONS 

Traditionally, the reliability of complex systems performing 

multi-phased missions has been estimated by Monte Carlo methods. ^ For 

large systems, however, mission simulation and determination of success 

or failure are time-consuming even when digital computers are employed. 

Furthermore, Monte Carlo methods require a great number of simulation 

replications before high confidence limits can be placed on c narrow 

reliability band. It is therefore not surprising that these methods 

proved to be excessively expensive in terms of both, time and money, 

especially when parametric studies must be performed. ^ 

Another method of analyzing phased missions is by considering the 

distinct combinations of component performances which lead to mission 

success, i,e. the success paths . To see how this works, assume that 

the system has n components C_,,..,C , and is designed for an 

1 n 

m-phased mission. Let be the maximum number of phases component 

survives, £^=0, 1 , . . . ,m, k=l,...,n. Each of the n-tuples 
(£^,,.,,£ n ) then represents an event which implies either mission 
success or failure, depending on the functional organization of the 
system in the m phases. The probabilities of the events can be com- 
puted from the component survival characteristics. Since the events ' 
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are disjoint, the probability of mission success, i.e. the relia- 
bility of the system for the mission, is the sum of the probabilities 
of the success path events. 

This method is straightforward and could easily be developed into 
an algoritnm for computer implementation. In addition, it has the 
advantage that with a slight modification not only the mission relia- 
bility but also the probability of the system to survive the first j 
phases of its mission, j=l,...,m, can be obtained. However, the 
number of n-tuples to be considered, (m+l) n , is such that economic 
reasons prevent its use even for moderately sizea systems performing 
only a few phases. 

A refined computational method based on success paths was developed 
by Muth [1964] . His approach consists of setting up phase matrices of 
components and success paths, and collapsing these matrices successively 
into a single matrix which represents system success at the end of phase 
j, j=l, . * . ,m. If the system can be broken up into many small sub- 
systems which have no components in common and thus can be analyzed 
separately, this approach makes reliability computations feasible. 

1.5 CONTENTS AND SUMMARY 

In this thesis, the phased mission problem is approached analytic- 
ally. The verbal statement of the problem in Section 1.2 is translated 
into mathematical terms in Chapter 2. The resulting model is an equa- 
tion which relates mission reliability to the survival characteristics 
of the components, the phase durations, and the phase configurations. 
However, this equation, i.e. 2.3.1, neither provides much insight into 
the problem nor can it easily be used to obtain numerical results. 
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In Chapter 3 a transformation is exhibited by means of which 
a multi-phase mission can be reduced to an equivalent synthetic 
single-phase system. Direct applications of this transformation are 
discussed in Chapter 4. They include a method to adapt existing 
algorithms and computer programs to the calculation of exact mission 
reliabilities, and a technique to simplify phased mission problems 
prior to beginning reliability calculations - 

A troublesome byproduct of the transformation is an apparent 
increase in the number of components of the system to which it is 
applied . This may aggravate computational problems and make the cal- 
culation of the exact mission reliability infeasible. Consequently, 
it may be necessary to resort to approaches which require less com- 
putational effort. Chapter 5, therefore, is devoted to a study of 
bounds on mission reliability. Several upper and lower bounds are 
derived and compared with each, other, both in terms of precision and 
the amount of computational effort required, and an algorithm for the 
"best" lower bound is presented, ^-An approximation technique which 
has successfully been applied to single-phase systems is based on the 
approximate hazard transform of Esary and Hayne [1973] ; its potential 
for the phased mission problem is discussed in Chapter 6. 

Finally, possible extensions of the methods presented in this 
thesis, and areas where further research is needed, are indicated in 
Chapter 7, 
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2. MATHEMATICAL FORMULATION OF THE PHASED MISSION PROBLEM 



The starting point of an analysis of the phased mission problem 
described in Section 1.2 is a mathematical model which quantitatively 
relates the variables of interest (the survival characteristics of the 
components, the functional organization of these components in the 
various phases of the mission, and the duration of the phases) to 
mission reliability. Such a model is developed here in three steps. 
The analytic tools employed are extensions of those used in standard 
reliability analysis. The underlying assumptions are made explicit. 

2.1 A MODEL FOR COMPONENT PERFORMANCES 

The system under consideration is assumed to have n components, 

labelled (^,...,0^. Each component C^ has a life, and hence its 

time to failure, or life length, is well defined. Since it depends 

on many factors and cannot be predicted accurately, it is expressed 

17 18 

by a non-negative random variable T^. The assumption that the 
components perform independently of each other formally means that 
T^,...,T are stochastically independent. 

For each component C^ and all times t>0, let X^(t) be a 
Bernoulli random variable defined by 



1 if component C^ functions at time t, 



\ (t > ■ 



0 otherwise. 



The random variable 




is called a performance state indicator 



variable , and the stochastic process 




is the performance 



process of the component C^. Since each component has a life, this 
process has the properties: 



17 



( 2 . 1 . 1 ) 



a) X k (t) = 0 <==> X^s) = 0, s > t. 

b) x k (t) = 1 <==> X^s) = 1, 0 S s S t. 

Thus a sample path of a performance process is non- increasing and 
continuous from the right, as indicated in Figure 2.1. 



X (t) = I 




Figure 2.1. Performance process sample 
path, component C^. 

For each t>0, let X(t) = (X (t ) , . . . ,X (t) ) be the performance 
state indicator vector of the set of components. Then the stochastic 
process {X(t),t>0} is called the joint performance process of the 
components . 

The joint performance process is a mathematical description of the 
component failure times, and as such the first step in the development 
of the model. It is compatible with the use of structure functions 
to represent system configuration within the phases, which is discussed 
in the next section. 

2.2 A MODEL FOR SYSTEM CONFIGURATIONS 

It is assumed throughout this thesis that the state of the system 
(i.e. functioning or failed) is completely determined by the states of 
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19 

its components. Then the system configuration in each of the 

20 21 

phases can be described by a block diagram or a fault tree for 
conceptual purposes, or by a structure function for mathematical 
analysis. A structure function is a binary function cf> of binary 
variables x^,...,x n which relates the performance state of the 
system to the performance states of its components; in particular 
<f> (x) = (f> (x^, . . . ,x^) =1 if the system functions, and <j> (x) = 0 
otherwise, where x^ = 1 if component functions, and x^ = 0 

otherwise. 

It is further assumed that each phase configuration of a system 
22 

is coherent , i.e. can be represented by a block diagram or a fault 

tree using AND and OR gates. If a configuration is coherent, then 

23 

its structure function <f> has the properties: 

a) $ (x) > <J>(y) whenever x^ > y , k=l,...,n. 

(2.2.1) b) (f)(0) = <(>(0,...,0) = 0. 

c) (f)(1) = <f>(l,...,l) = 1. 



To illustrate, a block diagram for the mission described in 
Example 1.1 is shown in Figure 2.2, and a fault tree in Figure 2.3. 




phose I phase 2 phase 3 



Figure 2.2. Block diagram for the mission 
of Example 1.1. 
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Figure 2.3. Fault tree for the mission 
of Example 1.1. 
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The structure functions for the system of Example 1.1 are: 

for phase 1, 4^ = ^ v x^g, 

for phase 2, <j> 2 = v x L ) v x^) , 

for phase 3, 4> 3 = XpX R v * M (x T v x R ) . 

The symbol v is the arithmetic OR operator, i.e. 



X ! V X 2 



1 if = 1 or = 1, 



0 if x = 0 and = 0, 



or for computational purposes, x i v x 2 = x i + x 2 " X 1 X 2 = 

1 - (l-x^ (l-x 2 ) . 

The phase structure functions can be combined with the joint per- 
formance process to achieve a concise mathematical formulation of the 
phased mission problem. 

2.3 A COMPLETE MODEL FOR THE PHASED MISSION PROBLEM 

The mission is assumed to be divided into m phases, and to 
start at time t=0. For j=l,...,m, the time at which phase j ends 
and, except for j=m, the next phase begins, is denoted by t . The 
structure function appropriate for phase j is denoted by <|> . 

The event that the system functions during phase j can be 
expressed as (X(t^. ) )=l} , and the event that the system functions 

throughout the m phases, i . e . N throughout the mission, as 
{(^ (X(t^) )=1, . . . ,<J> m (X(t ) )=l} . The mission reliability for the system 
is the probability that this event occurs. Since ^ (X(t_. ) ) , 
are Bernoulli random variables, this probability can be expressed com- 
pactly by 
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(2.3.1) p = PETTj™! ^(X( tj ))=l] = E TT-^CXCt.)), 
where E denotes expectation. 

Equation (2.3.1) is the complete model for the phased mission 
problem as described in the introduction and as qualified by the 
assumptions made, but neither is it a formula for practical reliability 
calculations nor does it provide much insight into the problem. It 
does, however, indicate that the sequential operation of the phase 
configurations to some extent resemble the operation of subsystems 
performing in series. This fact is essential in transforming the 
phased mission problem. 
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3. TRANSFORMATION OF THE PHASED MISSION PROBLEM 



Complexities in the reliability analysis of phased missions arise 
because a component’s performance in one phase is not stochastically 
independent of its performance in any other phase. The dependence, 
however, is of a special type. A component functions in phase j if, 
and only if, it has previously functioned in phase 1, and in phase 2, 
..., and in phase j-1, and then functions in phase j. This sequence 
of requirements suggests that the performance of a component in phase 
j can be represented by a series-like structure whose elements repre- 
sent its performance in phases l,...,j. 



3.1 THE TRANSFORMATION 

Suppose that component is replaced in phase j by a system 

of components > • * * , performing independently and in series. 

In block diagram format, the block 



is replaced in phase j by the system 

EH E3 0— 



In fault tree format, the input event (failure of component C^) 

is replaced in phase j by 
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Let U^i,...,Ukj be independent performance state indicator 
variables for the components 9 w iib 



P[u kl =i] = P£x k (t 1 )=i] 



(3.1.1) 



P[U k .=l] = Pl^Ctp-ll^Ct^p-l], 1=2, ...j. 



Then 



P[x k (t^)=i] = p [ u kl u k2 --- u k j =1 l» and thus 



St 



W ■ \l\2"-V 



S t 

where = means M is stochastically equal to M or, less formally, 

"has the same distribution as." Thus the original component and the 
substituted system have, as of the end of phase j , the same 
reliability. 

The preceeding observations suggest that a transformation of the 
phased mission problem can be accomplished by 

a) Replacing, in the configuration for phase j, j=l,...,m, 

component C^, k=l,...,n, by a series system in which the 
components > • • • > C^j perform independently, with the pro- 

babilities of functioning given in (3.1.1). 

b) Considering the transformed phase configurations to be sub- 
systems which operate in series. 
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The resulting new system, which has (at most) n*m independent 



components, is the equivalent system . As will be shown later, the 
ordinary reliability of the equivalent system is the same as the 
reliability of the original system for its phased mission. 

The block diagram for the equivalent system arising out of Example 
1.1 is given in Figure 3.1. A comparison with the block diagram for 
the phased mission shown in Figure 2.2 illustrates how the transforma- 
tion is implemented. 




transformed 
configuration 3 



Figure 3.1. Equivalent system for the 
mission of Example 1.1. 
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3.2 SOME PROPERTIES OF THE EQUIVALENT SYSTEM 

Two important properties of the equivalent system are that it 
performs just one phase, and that it is coherent. The former is a 
direct consequence of step (b) of the transformation. To obtain the 
latter, note that by step (b) of the transformation the equivalent 
system is a series, and hence coherent, structure of subsystems which 
themselves are coherent structures by assumption; their elements are, 
from step (a) of the transformation, series systems of components. 

The result then follows from the fact that a coherent structure of 
coherent structures is coherent. ^ 

These two properties together with the assumption that all com- 
ponents in the original system - and hence all components in the 

equivalent system - have lives imply that the equivalent system has a 
25 

life. Thus the potential difficulties mentioned in the introduction 

and illustrated in Example 1.3 cannot occur in the equivalent system. 

By contrast, another one of the difficulties of phased missions 

mentioned in the introduction does not disappear in the equivalent 

system. Although the m phase configurations operating in sequence 

in the phased mission become m subsystems operating in series in the 

equivalent system - a fact which simplifies the problem considerably - 

26 

the subsystems usually have components in common and do not function 
independently. Hence the product of the subsystem reliabilities is in 
general not equal to the reliability of the equivalent system, as is 
illustrated by the following extension of Example 1.2. 

Example 3.1 . For the mission described in Example 1.2, the 
equivalent system has the block diagram 
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subsystem I subsystem 2 



Letting it ^ , k-1,2, j-1,2, be as defined in Example 1.2, and 
P kl = *kl’ p k2 = *kl*k2’ k=1 » 2 » tbe subsystem reliabilities are 

P 1 = *11 + *21 " " 11*21 = P 11 + P 21 ~ p ll p 21 ’ 

P 2 = * 11 * 12 * 21*22 = P 12 P 22 * 

Their product p^p 2 is, except in trivial cases, less than the true 
system reliability p = 1T 11 1T 12 ir 2 l*22 = p 12 p 22 which can be found b y 
reducing the block diagram to its simplest form 




The true reliability for the equivalent system does agree with the 
reliability for the phased mission given in Example 1.2. □ 

3.3 MATHEMATICAL FORMULATION OF THE TRANSFORMED PROBLEM 

The transformed version of the phase j configuration functions 

if the event ^...U^^)=l} occurs, where U .,... ,U .), 

and U ' U = ^li^lk > ' ' * ’^ni^nk^ * f be ec l udva ^ en t system functions if 
the event 
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4i(u (1) ) = i, 4- 2 (u (1) u ( 2) ) = i,...,<j> m (^ (1 V 2) ...y, (m) ) = 1 } 



occurs. Thus the reliability of the equivalent system is 



(3.3.1) 



p = P[TTj= 1 4 , j(}i (1) u (2) ...u < ‘ j) ) = l] 



3.4 RELIABILITY EQUIVALENCE OF THE ORIGINAL AND THE EQUIVALENT SYSTEM 

It remains to establish that the reliability of the equivalent 

system agrees with the mission reliability of the original system, i.e. 

that p as given by (3.3.1) agrees with p as given by (2.3.1), This 

is done by the following theorem and the subsequent remarks. 

Theorem 3.1 . Let X^,,.,,X m be a non-increasing sequence of 

Bernoulli random variables, i.e. X..>X . Let U-,...,U be 

7 12 m 1* * m 

independent Bernoulli random variables with 



P[U 1 =l] = p[x 1 =i] , 

P[u =1] = P[X =l|x =1] , j=2,...,m. 



Then X, , . . . ,X = St U, ,U..U 0 , . . . ,U,U 0 . . .U . 

I 7 m r 1 2’ 12 m 

Proof, It is only necessary to show for each non-increasing 

binary sequence • •^ x m » 0r j=l, , , , ,m, that 

p t x i=*l V** 1 ■ P! W U 1 U 2 =X 2 U l U 2---V x m J - 



For the sequence x^=0, X2=0 , , . , ,x^=0, 



P[X 1 =0,...,X m =0] = PIX^O] = Plu^o] 

= P[U 1 =0,U 1 U 2 =0, . . . .U^. . .U m =0] 
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For the sequence x^=l, x^-l, • • • > x m “l> 

PIXi-l V 11 = P 1 X m‘ 1 l X m-r 11 '" 

...PlX^ljx^l] Pix^i] 

= P[U =1]...P[U =1] P[U =1] 
in ^ 

=P[U 1 =1,U 1 U 2 =1, . . . . .u m =i] . 

For any other sequence x =1, x =0, j=£,+l, . . . ,m, 

J 

PIX^I, . . . ,x £ -i,x 4+ i-o, . . . ,x m =0] 

= P[X -o,...,x A+1 *o |X A -1 X 1= l] P[X A -1, . . . .Xj-l] 



- P [ X £ + ^- 0 1 x ^- 1 ] ^ X ^ -*->•*•’^1 ^ 

= P[U £+1 =0] P[U 2 =1 ’“*> U 1 =1] 

= PtU^l,..., U^l.U^O] 

= P [U^=l 9 9 • • • 

U r*'V£+l = °’-" jU l U 2--- U m =0] ' D 

From (2.1.1) the sequence of variables X^t^) , . . . ,X k (t m > , which 
indicate the performance of component at the end of each phase, 

is non- increasing. Thus for U ta constructed according to 

(3.1.1), 

X k (t 1 ),X k (t 2 ),...,X k (t m ) = St U kl . U kl U k2 VkZ-Ukm- 
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Then, since component failure times, and consequently performance 
processes, are independent, 

. \ v / \ v- X St (1) (1) (2) ..(l)^) (m). 

x(t 1 ),x(t 2 ),...,x(t m ) = u ,u U u U ...U 

Since the event "success in the phased mission" occurs if <J>^ (X(t J )=1, 
j=l,...,m, and the event "functioning of the equivalent system" occurs 
if d> (U (1) U < ‘ 2) ...U ( “ ) )=1, j=l,..., m, then these two events are 

j ~ 

stochastically equivalent. Thus p as given by (2.3.1) agrees with 
p as given by (3.3.1). 
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4. DIRECT APPLICATIONS OF THE TRANSFORMATION 



The transformation described in Chapter 3 can be used to obtain 
results for the phased mission problem which are of theoretical and 
practical interest. Two of these are discussed below. 



4.1 CALCULATION OF THE EXACT MISSION RELIABILITY 

27 

Several computational methods are known for the numerical 

evaluation of system reliability in the single-phase case. Based on 

28 

them, computer programs for reliability analyses have been developed. 
The transformation provides, in principle, a way to adapt these methods 
and programs to the calculation of mission reliabilities in the multi- 
phase case. The necessary inputs are the phase configurations and, 
phase by phase, the conditional probabilities that the components sur- 
vive the phase, given that they have survived the previous phases, i.e. 
the conditional component phase reliabilities 



(4.1.1) 



"ki - nw-u. 

J ’ 2 



k=l,...,n. From (3,1.1) the conditional component phase reliabilities 
are the reliabilities of the components in the equivalent system. 
Computer programs could be adapted to accomplish steps (a) and (b) of 
the transformation internally, and then to find the reliability of the 
equivalent system which by Theorem 3.1 is the mission reliability for 
the original system. 

Theoretically, this approach eliminates all difficulties inherent 
in the phased mission problem, because it reduces the reliability 
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analysis of a system performing a multi-phase mission to the standard 
reliability analysis of a single-phase system* It may, however, not 
always be a practical or an efficient approach. Realistic systems 
usually have so many components to start with that when the transfor- 
mation is performed with its concomitant increase in the number of 
components in the equivalent system, the costs - in terms of computer 
time and memory - of calculating exact mission reliabilities are 
excessive. Frequently this is the case even for single-phase missions. 
Most existing reliability analysis programs therefore are designed to 
provide only approximations to system reliability, and it is not 
always clear whether such an approximation is conservative or optimistic. 
Thus the direct approach, i.e. applying the transformation and then 
using an existing computer program, is not necessarily the best solu- 
tion to the phased mission problem. 

Different approaches to the assessment of mission reliability which 
avoid some of the problems mentioned above will be discussed in Chapters 
5 and 6, after an additional direct application of the transformation 
has been presented. 



4.2 THE CUT CANCELLATION TECHNIQUE 

The transformation can provide a simple rationale for the cut 
cancellation technique of Rubin, Weisberg, and Schmidt. Conversely, 
cut cancellation can result in an advantageous simplification of the 
earlier configurations of a phased mission, prior to any implementation 
of the transformation. 

For instance, the sequence of phase configurations in Example 1.2 
turned out to have the mission reliability p = 7T 2.1 7T 12 7r 21 7r 22 * Using 
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notation introduced in Example 3.1, i.e. defining the (unconditional) 



component reliability p, . as the probability that component C, 

K. 

survives from the beginning of the mission through the end of phase j. 



(4.2.1) p kj = P[X k (t j )=l] = j=l,...,m, 

k=l,...,n, this mission reliability can be written as p = P^2 P 22 # 
The sequence of phase configurations 



-EH3— 

phase I phase 2 



has the same mission reliability. In Example 1.2 the only minimal 

cut set in phase 1, {C^ y C^} 9 contains the phase 2 cut sets {C^} 

and {^K Thus Can " cance H e d" in its phase, leaving 

a configuration which can never fail. 

The minimal cut sets of a (coherent) system are the minimal (in 

the sense of set inclusion) combinations of components which by all 

failing cause the system to fail. Every coherent system can be viewed 

as a series structure of subsystems, each of which consists of the 

29 

components in a minimal cut set acting in parallel. Equivalently, 
the configuration of every coherent system - and, in the context of the 
phased mission problem, every phase configuration - can be described 
by a complete list of its minimal cut sets. 

The rule for cut cancellation is: 

A minimal cut set in a phase can be cancelled, i.e. 
omitted from the list of minimal cut sets for that 
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phase, if it contains a minimal cut set of a 
later phase. 

A slightly more typical illustration of how cut cancellation works 
is given in the following example. 

Example 4.1 . A mission has the phase configurations 





phase I 



phase 2 



The minimal cut sets are: in phase 1 {C^} ^2 ,C 3^ 

in phase 2 {C^C^}. 

The phase 1 cut ^ 2 *^ 3 ^ contains the phase 2 cut {C^} , and so can 
be cancelled in phase 1. No cancellation results from the fact that 
the phase 2 cut ^2.^3^ contains the phase 1 cut {C^} because cut 
cancellation is not a symmetric procedure. 

After cancellation the sequence of phase configurations reduces to 




phase I 



phase 2 



It is easy to verify that both sequences lead to the same mission 

reliability by comparing their equivalent systems. □ 

The use of cut cancellation is justified by the theorem below. 

In its proof, the symbol V is the repeated OR operator; for binary 

variables x. , . • • ,x , 

1 5 n 5 



V 



n 

k=l X k 



x., 



V X,. V. . .V X 



n 



or, for computational purposes, 

v k"i*k ■ 1 - TT^o-V- 

Theorem 4.1 . Cut cancellation does not affect mission reliability. 

Proof . Assume without loss of generality that a system performing 
a phased mission contains a minimal cut set {C^, . . . ,C^ ,C r+ ^, . . . ,C g } 
in the configuration of phase h, and a minimal cut set {C^,...,C^} 
in the configuration of phase i, i>h. From (3.3.1) the reliability 
of the equivalent system is, in shorthand notation, 



p E (j) ^ (|) ^ . . . . • . (J) , . . .(j) 



m 



Let (j)^ and (j)^ denote the structure functions of the subsystems 
that remain when the above minimal cut sets are omitted in the trans- 
formed configurations of phase h and phase i, respectively. Then 



(4.2.2) 




The reliability can now be expressed as 
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p = e ♦ 1 * 2 ... t -*(v k yT^ 1 u kj )...*-Mv k yT.‘ 1 u k .)... v 

■ E * 1 * 2 ---+h---*I---C (v k"JT j = 1 \ J )w k yT J ‘iU kj ). 



By the laws of Boolean algebra, 



Therefore, 



^k-JTA V ^-iTTA V 

” v V l=l,)l|sJTj=l’ J kj )1 

= v r TT i u 

v k=i' 'j=i kj- 

p - E • - V • •+? <V k-lTTjil U kj } • -*m 

= E ^^^ 2 * * * ^h * * * ^ i * * * 



i.e. the minimal cut set can be omitted from the transformed configura- 
tion of phase h without changing the reliability of the equivalent 
30 

system. The result then follows from Theorem 3.1. □ 

Remark 4.2 . An even stronger result than Theorem 4.1 can be 
achieved . If (as henceforth will be done) $ is used to denote the 
structure function of the phase j configuration after cut cancellation 
has been performed to the greatest possible extent, j=l,...,m, then 
by an argument along the lines of the proof above it can be shown that 



(4.2.3) 



TTjVj - TTA»j 






although it follows from (4.2.2) that for j=l,...,m, 



(4.2.4) <(>_. > , 

and strict inequality may hold in (4.2.4) for all j except j=m. □ 
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As a final illustration of the cut cancellation technique, con- 
sider its effect on the mission described in Example 1.1. The minimal 
cut sets for this mission are, before cancellation: 
in phase 1 (M,L) {M,S} 

in phase 2 {F} {H,M} {ll,T} {M,L} 

in phase 3 {F,M} {H,M} {H,T} 

The minimal cut sets remaining after cancellation are: 
in phase 1 (M,S) 

in phase 2 {F} {M,L} 

in phase 3 {F,M} (H,M) {H,T} 

A block diagram for the sequence of simplified phase configurations 
is shown in Figure 4.1. 




phase I 



phase 2 



phase 3 



Figure 4.1. Block diagram for the mission of 

Example 1.1 after cut cancellation. 

After cancellation, the transformation can be applied to obtain 
the equivalent system shown in Figure 4.2. This system is considerably 
simpler than the one shown in Figure 3.1. but has the same reliability. 
Reliability computations are simplified accordingly. 
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transformed transformed 

configuration I configuration 2 



transformed 
conf ig ura t ion 3 



Figure 4.2. Equivalent system for the mission 

of Example 1.1, after cancellation. 
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5. BOUNDS ON MISSION RELIABILITY 



In Section 4.1 it was shown how the transformation can be used 
directly for the calculation of exact mission reliabilities; it was 
also pointed out why this approach may be problematic. In this 
chapter, bounds on mission reliability are studied. Bounds require 
less computational effort than the exact reliabilities and, although 
not necessarily precise, often suffice for the purpose at hand. 



5.1 BOUNDS BASED ON PHASE RELIABILITY FUNCTIONS 

A tempting procedure to approximate mission reliability is to 

31 

deliberately commit what was shown to be a logical error when trying 

to find exact reliabilities, namely to compute the reliability of each 

phase configuration separately, and then to multiply the results 

together. There are at least two choices of component reliabilities 

to use in doing this: the conditional component phase reliabilities 

tt, . given in (4.1.1), or the (unconditional) component reliabilities 

RJ 

p, . given in (4.2.1). The first choice leads to estimating mission 

RJ 

reliability by 



(5.1.1) 



"PRF TTj =l h j j > • • • > ) > 



and the second choice to estimating mission reliability by 



( 5 . 1 . 2 ) 



P PRF 



where in both cases h., j=l,...,m, are the reliability functions for 
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the phase conf iguriitions . The reliability function of a system with 
structure function <J> is defined by 



39 



h(p x P n ) - P[*(X 1 ,...,X n )-l) - E*(X 1 , 



•V- 



where are independent performance state indicator variables 

with P[X^=1] = p^> k=l,...,n. 

The following theorem shows that (5.1.1) gives an optimistic 
result (cf . Example 1.2), i.e. is an u pper bound on mission reliability, 
and that (5.1.2) gives a conservative result (cf. Example 3.1), i.e. 
is a lower bound. 

Theorem 5.1. For as given by (5.1.1), as given 

— — rKi r Rr 

by (5.1.2), and p as given by (2.3.1) or (3.3.1), p pRp ^ p ^ Tr pRp . 

Proof . The coherent phase configurations have no n-decr easing 
structure functions from (2.2.1), and U , . . . ,U ^ are independent 
by construction. Thus 



e TT j ^ j (u ( 1 ) u ( 2 ) ...u (:i) ) < e 



<j) 



(5.1.3) 



= TLjV^GJ^) 



so that p S it from (3.3.1) and (5.1.1). 

r Rr 

33 34 

The proof that p ^ p uses standard properties of associatecT 

r Rr 

random variables. Since U, . , k=l,,.,,n, j=l,...,m, are independent 

kj 

and thus associated, and (Jk , j=l,...,m, are non-decreasing, then 

<j>_. (U^^U . . .U ^ ^ ) , j=l,...,m, are associated. Therefore the inequality 

TT. n \ E^(U ( 1 ) U ( 2 ) ...U (j) ) < E n. m i <f>.(\l ( 1 ) U ( 2 ) ...U (j) ) 

j=l J ~ ~ J=1 J ~ 



holds, so that p ^ p from (3.3.1) and (5.1.2). □ 

r KJc 

The method of approximating mission reliability described above 
can also be employed after cut cancellation has been performed. Denoting 
the phase reliability functions of the simplified phase configurations 
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by ly j=l, • • • ,m, the resulting approximations corresponding to 
"PRF and P PRF are 



(5.1.4) 



^PRF-CC TT j=1 h j 



and 



(5.1.5) p _ TT m l / ) 

PRF-CC ~ 1 ‘ j=l h j P lj * * ’ # ,P nj ' 9 

respectively. Again, 7T p R p_ cc g ives an optimistic, and P pRF _ cc a 
conservative result, as is shown in the next theorem. 

Theorem 5.2 . For "ppp^Q as given by (5.1.4), Pp^^c as 
given by (5.1.5), and p as given by (2.3.1) or (3.3.1), Pppp_.cc 5 

P ^ "PRF-CC* 

Proof. The phase structure functions are greater after cut can- 
cellation than before from (4.2.4); thus 

(5.1.6) TT j “ 1 E<|» j (U (j) ) * TTj= 1 E^T(U (J) ) , 



so that p < TT from (3.3.1), (5.1.3), and (5.1.4). 

x Kr — LL 

The , j=l,...,m are non-decreasing, and therefore the same 
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properties of associated random variables used before lead to the 
inequality 



HA**?!! 



- / „(l) u (2) 



•U <j) ) < 



TT J : 1 *-(H < 1 > H <2) 







The equivalent system has the same reliability before and after cut 
cancellation by Theorem 4.1, i.e. 






-m(D u (2) 



.U (j) ) = E ]"[. m <f> . (U (1) U (2) 
J=1 J ~ 



.U (j) ), 



so that P pRF _ cc * P from (3.3.1) and (5.1.5). □ 
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The four bounds presented so far all presuppose that the phase 
reliability functions h^ or h^ are known for all m phases. 
Although to compute them is considerably easier than to compute the 
reliability function for the complete equivalent system, it may still 
be a formidable task. In the following section, therefore, bounds 
are studied which do not involve the phase reliability functions. 



5.2 BOUNDS BASED ON PHASE BOUNDS 

For coherent single-phase systems with independent components, 

Esary and Proschan [1963] have established two bounds on system 

reliability which can be computed without a knowledge of the reliability 

function. In one case, the system is expressed as a series structure 

of subsystems each of which consists of the components in a minimal 

cut set acting in parallel. The reliabilities of all subsystems are 

calculated separately and then multiplied together, the result being 

the minimal cut lower bound . In the other case, the system is expressed 

as a parallel structure of subsystems each of which consists of the 

components in a minimal path set acting in series. Again, the subsystem 

reliabilities are calculated separately, and then the reliability of 

the system is computed as if the subsystems were independent, resulting 

37 

in the minimal path upper bound . (The minimal path sets of a coherent 
system are the minimal, in the set inclusion sense, combinations of 
components which by all functioning ensure the functioning of the system.) 

These two bounds, when applied to each phase separately, can be 
used to approximate mission reliability in the multi-phase case. Let 
hygj and h^_. denote the minimal path upper bound and the minimal 
cut lower bound, respectively, for phase configuration j, j=l,...,ra. 

Using basically the same approach as before, and choosing as component 
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reliabilities the conditional component phase reliabilities 

in one case and the (unconditional) component reliabilities 

38 

in the other, one obtains the approximations 



"kj 

p kj 



(5.2.1) 
and 

( 5 . 2 . 2 ) 



11 pub TT j=1 h UBj ^ lj »---^ nj ) 
P PLB = TTj=i h LB j (p lj ,, - , ’ p nj ): 



which by the following theorem are bounds on mission reliability. 

Theorem 5,3 , For as given by (5.2.1), Pp LB as given by 

(5.2.2) , and p as given by (2.3.1) or (3.3.1), p pLB < p ^ "puB’ 

Proof . The phase configurations are coherent, thus - hj - 

W J- 1 -- ,m, by construction, and the inequalities 

(5.2.3) V s TTjUlVl Cl, lj \,j> 

and 

(5.2.4) TT j= 1 h LBj (p 1:j »-*-» p nj ) - TTj = 1 h j (p ij p nj ) 

hold. Therefore p < from (5.1.1), (5.2,1) and Theorem 5.1, and 

p ^ p from (5.1.2), (5.2.2) and Theorem 5.1. □ 

r i-iij 

It is easy to see that if a different choice of component reliabi- 
lities is made, i,e. if the (unconditional) component reliabilities 
are used with the phase minimal path upper bounds, or the conditional 
component phase reliabilities with the phase minimal cut lower bounds, 
the resulting approximations are not bounds. For a mission with m=l 
phases, obviously 



hj=i h UBj (p lj’ , * ,sP nj ) " P " TVlhBj (7T lj’ 







and strict inequality may hold. On the other hand, for a phased mission 
with the block diagram 
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-ED- 

phase I 




phase 2 



the exact mission reliability and the approximations are, in the 
established notation, 

P = P±2 P 22 = T^ 11 T^ 12 1T 21 1^ 22 , 
lTj=l h LBj ^lj ,TT 2j^ = ir ll ir 12 ir 22* 

^j=l h UBj (p lj ,p 2j ) = p ll p 12 p 22 = "l 1*1 1*1 2*2 1*2 2’ 

2 2 

so that 2 P s N j =l^LBj (ir lj * *2j 5 * and Strict 

inequality holds if 0 <tt v . <1, k=l,2, j=l,2. 

k.j 

As before, cut cancellation can be performed prior to implementing 
the approximations (5.2.1) and (5.2.2). The resulting approximations 
corresponding to 7 r pUB and p pLB are 

^ 5 * 2 * 5 ^ 1T PUB’-CC = ^j=l h UBj ( - 1T lj , *” ,1T nj ) 



and 

(5.2.6) 



P PLB-CC ^j=l^LBj ^ P lj ’ ’ * ’ ’ p nj ^ * 
where h^^ an< ^ ^LBj denote the minimal path upper bound and the 
minimal cut lower bound, respectively, for the simplified configuration 
of phase j, j=l,...,m. Theorem 5.4 establishes that these approximations 
are bounds. 



Theorem 5.4. For tt 



PUB-CC 



as given by (5.2.5), P pLB _ cc as given 



by (5.2.6), and p as given by (2.3.1) or (3.3.1), P pLB _ cc ^ P ^ *pub-CC' 
Proof . The simplified phase configurations are coherent, thus 
hf-Bj “ kj - h^ B ^ , j=l,...,m, by construction and the inequalities 
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(5-2-7) TTj.^'u » nj ) s TTj.iVj^j * nj ) 

and 

(5.2.8) TTj= 1 h Z B j (p 1 j’---’p n j ) 5 TTj =1 h :j (p 1 j > -**»p n j) 



hold. Therefore p 5 from (5.1.4), (5.2.5) and Theorem 

r Kx — L L 

5.2, and p < p from (5.1.5), (5.2.6) and Theorem 5.2. □ 

rKr-LL 

Bounds 'n'_ 7T _. __ and p__ _ __ are the last to be considered here, 
rUB— CL rLiJ— CC 

although additional ones certainly could be found. Attention is now 
turned to a comparison and assessment of the bounds. 



5.3 COMPARISON AND ASSESSMENT OF THE BOUNDS 

The bounds presented in the previous two sections differ from 
each other in several respects, and it is not obvious which of them are 
suited best for a specific phased mission problem. It is therefore 
necessary to compare and assess them. From an applications point of 
view, the most significant criteria on which to base comparisons of 
bounds are felt to be precision , i.e. closeness to the exact reliability, 
and computational effort , i.e. cost of calculation. These criteria 
will be addressed in turn. 

For single-phase systems, in order to obtain a rough idea of how 
system reliability responds to the achievement of a general, across- 
the-board level of component reliability, and to get an indication of 
the precision of bounds, it is often assumed that all components have 
the same probability of functioning. Then system reliability is a 
function of a single variable - component reliability - and can easily 
be exhibited. To use a similar approach for a system performing a 
phased mission, i.e. to assume that all conditional component phase 
reliabilities are equal, is somewhat more questionable but may still 
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provide an indication of the precision of bounds on mission reliability. 
The following example demonstrates this. 

Example 5.1 . Assume that in the mission of Example 1.1 all compo- 
nents have the same conditional phase reliability i\ in all phases, 
and consequently the same unconditional reliabilities Pj =7r ^ phase 

j, j=l,2,3. Then the exact mission reliability and the bounds on 
mission reliability, as a function of tt , take on the numerical values 
given in Tables 5.1 and 5.2 below. 

The tables show that for component reliabilities close to one, 
the lower bounds approximate the exact mission reliability quite closely 
whereas the same is not true for the upper bounds. This fact has been 
observed frequently in single phase systems. 



it 


P 


"frf 


"rRF-CC 


71 PUB 




0.40 


0.002 


0.025 


0.058 


0.036 


0.077 


0.50 


0.011 


0.078 


0.141 


0.119 


0.190 


0.60 


0.045 


0.187 


0.274 


0.284 


0.366 


0.70 


0.137 


0.364 


0.454 


0.526 


0.584 


0.80 


0.337 


0.596 


0.661 


0.782 


0.797 


0.90 


0.668 


0.834 


0 . 857 


0.955 


0.948 


0.95 


0.854 


0.932 


0.938 


0.991 


0.987 


0.99 


0.978 


0.989 


0.990 


1.000 


0.999 



Table 5.1. Exact mission reliability and upper 

bounds for the mission of Example 1.1. 
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IT 


P 


P PRF 


P PRF-CC 


P PLB 


P PLB-CC 


0.40 


0.002 


0.0 4 64 


0.0 3 36 


0.0 5 30 


0.0 4 57 


0.50 


0.011 


0.001 


0.004 


0.000 


0.001 


0.60 


0.045 


0.009 


0.021 


0.003 


0.010 


0.70 


0.137 


0.055 


0.090 


0.030 


0.061 


0.80 


0.337 


0.217 


0.277 


0.172 


0.236 


0.90 


0.668 


0.590 


0.633 


0.566 


0.615 


0.95 


0.854 


0.826 


0.842 


0.820 


0.838 


0.99 


0.978 


0.976 


0.977 


0.976 


0.977 



Table 5.2. Exact mission reliability and lower 

bounds for the mission of Example 1.1. □ 

The order among the bounds exhibited in Tables 5.1 and 5.2 is no 
coincidence and does not only hold for this particular example. The 
next theorem establishes some inequalities which are always valid. 

Theorem 5.5 . For the bounds as given by (5.1.1), (5.1.2), (5.1.4), 
(5.1.5), (5.2.1), (5.2.2), (5.2.5), and (5.2.6), and p as given by 
(2.3.1) or (3.3.1), the following inequalities hold. 

“ P PLB-CC „ „ _ 5 ^PRF-CC “ "PUB-CC 

P PLB “ P PRF— CC “ p - "PRF 

“ P PRF “ 11 PUB 

Proof . The proof consists of a separate demonstration for each 
inequality. 

(1) p 5 tt by Theorem 5.1. 

r Kr 

(2) P PRF _cc 5 P b y Theorem 5.2. 

(3) n pRF < ir pUB from (5.1.1), (5.2.1), and (5.2.3). 
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(4) PpLB “ P PRP frora (5.1.2), (5.2.2), and (5.2.4). 

(5) * PRF _ CC - ^pub-CC fr ° m (5.2.5), and (5.2.7). 

(6) P PLB-CC 5 P PRF-CC frora ( 5 * 1 * 5 )> (5.2.6), and (5.2.8). 

(7) ^PRP 5 ^PRF-CC frOTD (5.1.4), and (5.1.6). 

(8) p pRF < p pRF _ cc from (4.2.4), (5.1.2), and (5.1.5). 

Finally, since (j)^. - > j = l,**.»ra, from (4.2.4) and thus 

bj^Bj - h LBj’ the inequality 



TTj"l h LBj < ‘ , lj’"-‘ > „j ) 5 TTj^bj (Py 



'°nj ) 



holds, so that 

(9) p pLB < Pp LB _ cc from (5*2.2) and (5.2.6). □ 



No general inequalities can be established between tt nn and 

sr Kx — C*L* 

TTpuB> and between Pp^g-CC and P PRF‘ Ibis is not too surprising. 

In the case of the two upper bounds, both cut cancellation and the use 
of phase upper bounds instead of phase reliability functions increase 
the apparent phase reliabilities; and in the case of the two lower 
bounds, cut cancellation and the use of phase lower bounds instead of 
phase reliability functions tend to balance each other. More formally, 
consider first a system where no cut cancellation is possible, i.e. 

VV j=1 ’ If h LBj <h j <h UBj f ° r SOme j ’ then ir PRF-CC <7T PUB 

from (5.2.3), and p P^nr from (5.2.4). Next, consider a system 

ILd-LL ritt 



with 



h^^j=h^=h^g_. for j=l,...,m. If cuts can be cancelled in any one 



phase, i.e. if <J> ><j> for some j, then 7T PRF ^ cc >7r PUB and 

40 

PpLB-CC > PpRF ^ rom .2.4) . The relative magnitudes of these four 
bounds, however, may not only depend on the structure of the system 
under consideration, but also on the values of the component reliabilities. 
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This is the case in the system of Example 1.1 and can be seen by 

comparing the values of * pRF _ cc » '"pug* p plB-CC and P PRF for 
tt=0.4 and tt=0.8 in Tables 5.1 and 5.2. 

The fact that and '"pub-CC a ^- so cannot be compared is 

somewhat counter-intuitive and unexpected, because it causes an un- 
symmetry in the string of inequalities of Theorem 5.5. However, it 
can be shown that even two single-phase systems with structure func- 
tions <j>^ and <j> 2 , (J ) ^ > (|> 2 > may have minimal path upper bounds h^ 
and su °b that ^ l lb 1 < \ ( B2’ exam P-*- e a one-out-of-two 

system and a two-out-of-three system where all components have the 
same reliability p. In that case, h^^^ (p) >h^ B 2 (?) for 0<p<0.8, 
and (p) <h ^ fi 2 (p) for 0.9<p<l. The mission of Example 1.1 shows 



a similar behavior, as can be seen by comparing the values of tt 
and ^pub-CC ^ or 7T= ®*^ and tt=0.9 in Table 5.1. 



PUB 



As far as the computational effort required to calculate bounds 

is concerned, only a few statements valid in general can be made. One 

41 

is that for any system performing a phased mission, less effort is 
required to compute the m phase reliability functions separately than 
to compute the reliability function of the equivalent system; another, 
that phase bounds are easier to calculate then phase reliability 
functions. Cut cancellation simplifies all reliability calculations, 
but requires computational effort to be performed. This may be minimal 
in some cases (in particular when phase minimal cut lower bounds are 
used because then the minimal cuts of all phases have to be known 
explicitly), but cannot be neglected totally. On the whole, however, 
it is felt that the benefits of cut cancellation outweigh its costs. 
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The diagram below is an attempt to summarize the previous obser- 
vations, Its comparisons may not hold in all cases, but do indicate 
what is usually true. The symbol < stands for "requires less com- 
putational effort than.” 

"pUB-CC 4 "PUB * "PRF-CC 4 "pRF 

P 

P PLB-CC ^ P PLB * P PRF-CC 4 P PRF 



Figure 5,1, A comparison of the computational 

effort required to calculate bounds. 

5.4 AN ALGORITHM FOR THE "BEST” BOUND 

Trying to select the best bound from those presented in this 
chapter is a difficult problem whose solution depends on the circum- 
stances of each particular application and cannot be given in general. 
If one is interested in a conservative rather than an optimistic 
approximation, and if the system to be analyzed has components with 
uniformly high conditional reliabilities in all phases, then the quali- 
tative comparisons of the previous section and the numerical values 

of Example 5.1 suggest that p is a good choice. 

FLB— LL 

Since the above conditions are frequently encountered, and 
p hence might be used more often than other bounds, an algorithm 

it LJj—Lv 

for its computation is given below. This algorithm assumes that the 
survival function F^(t) = P[T^>t], t>0, is known for each component 
C^, k=l,,,.,n, that each phase configuration is represented by a 
block diagram or a fault tree, and that the duration of the phases and 
thus the times t., j=l,...,m, are given. 
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from 



Algorithm for Computing P pLB _ cc • 

42 

(1) For k=l,...,n and j=l,...,m, 





(2) For j=l,...,m, find the minimal cut sets of phase j from 

43 

the block diagram or the fault tree for that phase. 

(3) Perform cut cancellation according to the rule given in 
Section 4.2. 

(4) For j=l,...,m, denote the number of minimal cut sets 
remaining in phase j by K(j), and the i-th minimal 
cut set in that phase by ^ , i=l, . . . ,K(j ) . Then compute 



The following example illustrates how the algorithm works. 

Example 5.2 . Suppose that for the mission of Example 1.1, a 

general expression for the lower bound p is wanted. Using 

P<Ld*“CC 

the algorithm described above, the following results are obtained; 



(2) The minimal cut sets are 

in phase 1 {M,S} 

in phase 2 {F} //{H,T}// {M,L> 

in phase 3 {F,M} {H,M} {H,T} 

(3) The cut sets marked //{ }# above are cancelled. 

(4) The minimal cut sets remaining are denoted by 



P PLB-CC £r ° m 



P PLB-CC 




K u = (M, S) , K n = {F}, K 22 = {M,L} 



K 31 = {F,M} , K 32 = K 33 = {H,T} , 
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and the bound p ^ cc Is given by 

P PLB-CC = 1 1_ (1 " p Ml) (1 "P SI > ] 1 1_ (1 *'PF2 ) ] 

*[ 1 - (1 -p M2 ) (l-p L2 )] [l-(l-p F3 ) (i- P m3 ) J 

*U-(i- P h3 ) (i-p M3 )] [i-(i- P h3 ) (i-p t3 )] . d 

This concludes the discussion of bounds based on reliabilities 
directly. In the next chapter, a reliability transformation is pre- 
sented which permits the derivation of additional approximations and 
bounds. 
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6. HAZARD TRANSFORMS FOR PHASED MISSIONS 



Recently, Esary and Hayne [1973] extended the scope of application 
of a simple reliability calculus of Rubinstein [1961, 1965] to coherent 
systems. This calculus uses an approximate hazard transform and leads 
to conservative approximations to system reliability. Its potential 
for use in the phased mission problem is explored here. 



6.1 AN APPROXIMATE HAZARD TRANSFORM 

The h a2ar d transform of a system with reliability function 
h(p^,...,p^) is defined as 



H(u 1 ,...,u n ) = -log h(p 1 ,...,p n ) = -log h(e u l, . . . , e -u n) , 

where u^= “log p^ is the component hazard of component having 

reliability p^, k=l,...,n. Knowing the hazard transform of a system 
is equivalent to knowing its reliability function since 

h( Pl ,...,P n ) - e" H(u l u „> - e- H(_los P 1 - los p n>. 

The assumption that components perform independently is implicit in the 
definition of a hazard function, just as it is in the definition of a 
reliability function. 

The approximate hazard transform H* considered by Esary and Hayne 
can be defined by the following rules: 

(1) For a system consisting of a single component C, , the 

iC 

approximate hazard transform is equal to the component hazard, 

i.e. 

U’ = u, . 



-u 
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(2) For a system which is a combination of two modules (subsystems 



with disjoint sets of components) having approximate hazard 
transforms and H^, the approximate hazard transform 

H* is 

H* = Hj + if the combination is series, 

H f = HjH^ if the combination is parallel. 

So far, the rules define the approximate hazard transform only for 
systems that can be formed by successive series and parallel combina- 
tions of subsystems which have no components in common, i.e. for the 
class of simple systems considered by Loranicki [1973]. To extend the 
definition to systems which are coherent but not necessarily simple, 
a third rule is needed. This rule makes use of the fact that any 
coherent system can be represented in terms of its minimal cut sets. 

(3) For a coherent system with minimal cut sets K^,...,K^ 

whose approximate hazard transforms are H|,...,H^, the 
approximate hazard transform H 1 is 

H 1 = Hj + + ...+ Hj. 

44 

Esary and Hayne show that the approximate hazard transform 
obtained in this way is conservative, i.e. indicates greater system 
hazard (less system reliability) than the exact transform. For further 
reference, this fact is noted as a theorem. 

Theorem 6.1 . For a coherent system with reliability function h, 
hazard transform H, and approximate hazard transform H* obtained 
according to the rules above, H 1 > H, and consequently h 1 < h, where 
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6.2 APPLICATION OF THE APPROXIMATE HAZARD TRANSFORM TO THE PHASED 

MISSION PROBLEM 

Several approximations to the mission reliability of a multi- 
phased system can be derived using the approximate hazard transform 
defined in the previous section. One of them is discussed here in 
detail. 

Suppose that cut cancellation has already been performed in a 
phased mission. Let H_! be the approximate hazard transform of the 
simplified configuration of phase j, j=l,...,m, and define an approxi- 
mate hazard transform for the mission, H f , by 



( 6 . 2 . 1 ) 



H f = Hi + Hi +. . .+ H f . 
12 m 



Then h f given by 



( 6 . 2 . 2 ) 



-H f -(H f 4 . 4 - 

= e n = e ^1 "2 



+ H f ) 
ra 



is a conservative approximation to the mission reliability p, as is 
proved in the following theorem. 

Theorem 6.2 . For h f as given by (6.2.2) and p as given by 

(2.3.1) or (3.3.1) , h 1 < p. 

Proof. Let h!=e , j=l,...,m, Then h f = TT^h! from 

(6.2.1) and (6.2.2). Since the phase configurations are coherent, then 

h’ 5 h., j=l,...,m, by Theorem 6.1. Therefore, JJ.^h! < 

j J 3 3 J 3 

and the result follows from (5.1.5) and Theorem 5.2. □ 

An algorithm for computing h f consists of the following steps, 
where the notation of Section 5.4 is used; 

(1) For k=l,...,n and j=l,...,m, compute u from 

u kj ‘ - loe = - log W' 
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(2) For j=l,...,m, find the minimal cut sets of phase j 
from the block diagram or the fault tree for that phase. 

(3) Perform cut cancellation according to the rule of Section 4.2. 

(4) Compute the approximate hazard transform for the mission from 

m K(j) 

H ' - E I TT C cK u ki 

j=i i=i V K ji 

(5) Compute the lower bound h f from 

, . _-H f 



A comparison of this algorithm with the one presented in Section 

5.4 indicates that the calculations of the bounds h ! and p ^ 

PLB— CL 

require about the same amount of effort. Both are conservative, but 
h 1 is less precise than PpLB-CC* aS esta ^^^ s ^ ec ^ ^- n Theorem 
6.3 below. It is therefore questionable from an applications point of 
view whether h ! can replace PpLg^cQ as t * ie "best" lower bound for 
a phased mission. However, if all components of a system are assumed 
to have constant failure rates throughout each phase - as is often 
done for lack of better information about the distributions of the 
components 1 time to failures - the approximate hazard transform H T 
has the attractive feature that it is a polynomial in all of the phase 
durations. Thus it is well suited for parametric studies. An illustra- 
tion for this is given after the assertion about the relative precision 
of h f and Pp LB qq has been proved. 

Theorem 6,3 . For h ! as given by (6.2.2), and p cc as 
given by (5.2.6), h 1 5 P pLB _ cc « 

Proof . It suffices to note that in the calculation of Pp^^ 
the exact reliability of each parallel subsystem corresponding to a 
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minimal cut set is used, whereas in the case of h 1 , as a consequence 
of Theorem 6.1, a conservative approximation to the reliability of each 
such subsystem is the basis for the calculation. The result then 
follows from the fact that all other steps of the computation are 
equivalent . □ 

Example 6.1 « Consider the mission of Example 1.1. Assume that 
the failure rate of component k in phase j is a constant r^ , 
k=F,H,L,M, S,T, j=l,2,3, and let d_. be the duration of phase j, 
j=l,2,3. Then from step (1) of the algorithm above, the component 
hazards are 



u, . = r. t d- +. . .+ r. .d . , 
kj kl 1 kj j’ 



and the following general expression for the approximate hazard 
transform of the mission is obtained from step (4) of the algorithm: 
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H r Ml d l r Sl d l 

+ ^ r Fl d l +r F2 < V + ^ r Ml d l +r M2 d 2' ) ^ r Ll d l +r L2 d 2^ 



+ ^ r Fl d l +r F2 d 2 +r F3 d 3^ ^ r Ml d l +r M2 d 2 +r M3 d 3^ 



+ ( ' r Hl d l +r H2 d 2 +r R3 d 3' ) ( ' r Ml d l +r M2 d 2 +r M3 d 3^ 



+ ^ r Hl d l +r H2 d 2 +r H3 d 3^ ^ r Tl d l +r T2 d 2 +r T3 d 3^ * 



Now suppose that the duration of phase 2, d^, is uncertain, and 
that a sensitivity analysis on it is desired. H T as a function of d r 

i 

can be written as 



(6.2.3) 



H'(d 2 ) = a + b*d 2 + c*d 2 , 



where 
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For a numerical illustration, assume that phase 1 lasts 30 minutes 
and phase 3 lasts 10 hours, and that the following failure rates (in 
hours ■*") are given: 



Component 


F 


H 


L 


M 


S 


T 


Phase 1 


0.000 


0.001 


0.040 


0.020 


0.100 


0.000 


Phase 2 


0.020 


0.003 


0.010 


0.006 


- 


0.020 


Phase 3 


0.010 


0.002 


_ 


0.005 




0.020 



Then 

a = 0.012030, 

b = 0.023333 hours \ 

-2 

c = 0.000258 hours 

For various durations of phase 2 (in hours), the approximate hazard trans- 
form for the mission, H T , and the lower bound on mission reliability 
h f , both rounded to three decimals, are shown below. 



0 0 . 

1 0 . 

2 0 . 

3 0. 

4 0. 

5 0. 

6 0 . 

7 0. 

8 0 . 

9 0. 

10 0 . 



h' 

0.988 
0.965 
0.942 
0.919 
0.896 
0.874 
0.851 
0.829 
0.806 
0.784 
0.763 d 



H’ 

012 

036 

060 

084 

109 

135 

161 

188 

215 

243 

271 
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7. POSSIBLE EXTENSIONS AND REMAINING PROBLEMS 



It was shown in this thesis how, under suitable assumptions, the 
phased mission problem can be formulated mathematically and transformed 
into an equivalent single-phase problem, and how exact mission reliabili- 
ties and approximations to them can be computed. The assumptions made, 
however, may not always be satisfied by realistic systems and missions 

which have to be analyzed. In particular, components may not perform 
46 

independently, failed components may be replaced, and the durations 
of the phases may not be known in advance. 

47 

Systems with interdependent components have been studied, but 

so far no generally valid methods to model them seem to be available. 

In certain situations an approach similar to the one described in 

Chapter 3, i.e. the transformation of a system with interdependent 

components into an equivalent system whose synthetic components perform 

independently, may be feasible. Another approach might make use of the 

fact that several theorems on which lower bounds are based remain valid 

when component performances are positively dependent in the sense of 
48 

association. 

As far as a replacement of failed components is concerned, it is 
felt that this feature can be incorporated into the model without 
causing major problems. If replacement is instantaneous at failure, 
it might simply be considered in the component’s time to failure dis- 
tribution; if replacement can occur only at the end of a phase, then 
the equivalent system may be modified to reflect this fact. 

Example 6.1 indicated how uncertainties in the duration of the 
phases can be dealt with if component failure rates are constant 
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throughout the phases. Under these circumstances, and if phase 

durations are assumed to be random, the mean of the approximate hazard 

transform for the mission can be found, even without complete knowledge 

49 

of the phase durations 1 distributions. 

As a final comment on the phased mission problem, it should be 
pointed out that even if all the extensions mentioned above can be 
incorporated into a model, practical use of it can only be made if all 
the necessary inputs are available. These inputs, the component relia- 
bilities on one hand, and the functional organization of the system in 
the various phases of its mission on the other, are not always easy to 
obtain. 
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COMMENT S AND NOTES 



This term is used by Barlow and Proschan [1965]. 

2 

This definition of reliability is due to the Radio-Electronics 
Television Manufacturers Association [1955], as cited in Barlow and 
Proschan [1965], p. 6, and is widely accepted. 

3 

Roughly, a system is coherent if its 'performance is not impaired 
by an improvement in the performance of its components" [Esary and 
Marshall 1964, p. 459]. All two-terminal networks and all systems 
whose functional organization can be represented by a fault tree using 
AND and OR gates only are coherent. - Barlow and Proschan [1965] use 
the term "monotonic" instead, but "coherent" seems to be more widely 
accepted and will be used in this thesis. 

4 

This approach was used before by Mine [1959]. 

5 

Barlow and Proschan [1965], pp. 196f. 

^ "Roughly. . .a device has a life if it functions continuously until 
some time of failure, and remains failed thereafter." [Esary and 
Marshall 1964, p. 459.] 



Among these are: components perform independently - components 

have exponential lives - only two states are recognized for components 
and systems. 

g 

The method is described in Chapter 4. 

9 

The manual section on phased missions is based on the work of C. 
Persels. 



10 



1.4. 



Success paths and Muth f s approach are briefly discussed in Section 



11 



Cf . 



the definition given above in Note 6. 



In the military, for instance, a communication network, the power 
plant of a ship, and a mine are systems which may be required to perform 
phased missions. 



Apologies are extended for this example to all firemen and all 
chemical engineers. 

14 

Esary and Marshall [1964], Theorem 3.1, p. 461. 

^ Muth [1964], p. 2. 



Rubin [1964], 



p. 263. 
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Expressing the life length as a random variable also permits 
by the proper choice of its distribution function, taking into account 
the operating conditions (the environment) which the system encounters. 

18 

This is one of the classic assumptions mentioned before which are 
not very realistic but without which an exact reliability analysis is 
currently impossible. 

19 

An example for a system which violates this assumption is an 
HF-communication network. Here the atmospheric conditions play an 
important factor in determining whether the system functions or not. 

20 

A block diagram is a graphical model of the functional organiza- 
tion of components in a system. It provides a positive view of the 
system in that it indicates the combinations of functioning components 
which guarantee the functioning of the system. 

21 

A fault tree is also a graphical model of the functional organi- 
zation of a system, but in contrast to a block diagram it provides a 
negative view of the system because it indicates which combination of 
failed components cause failure of the system. 

22 

Almost all engineering system are coherent. A ship with two 
captains could be an example for a system which is not coherent. 
Generally, an EXCLUSIVE OR gate in a fault tree indicates a non-coherent 
system. 

23 

This follows immediately from the definition; cf . Esary and 
Proschan [1963], p. 192. 



24 



25 



26 



Birnbaum, Esary, and Saunders [1961], pp. 66f. 
Esary and Marshall [1964], Theorem 3.1, p. 461. 



for instance, is common to all 



Cf . Figure 3.1. Component M 
three subsystems. 

27 

Such computational methods are, for instance, the inclusion- 
exclusion algorithm and pivotal decomposition. 

28 

Cf. Fussell and Vesely [1972] and Vesely and Narum [1970] who 
describe programs for the analysis of fault trees. 

29 

Barlow and Proschan [ 197 ] Chapter 1, or Birnbaum, Esary, and 

Saunders [1961], Theorem 2. 7. 7.1, p. 65. 

30 

Note, however, that as a result of cut cancellation the relia- 
bility of each phase configuration considered by itself increases. 



31 



32 



Cf. Examples 1.2 and 3.1 and the paragraphs preceding them. 



The subscript PRF is used mnemonically to indicate that these 
approximations are based on the phase reliability functions. 
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33 

These are discussed, for instance, in Barlow and Proschan 

[ 19 7 ] , Chapter 2, and in Esary, Proschan, and Walkup [1967]. From 

the latter paper. Theorem 2.1, Theorem 4.1, and Property (P4) are needed 
in this proof. 

34 

Association is a special kind of positive dependence among 
several random variables. Performance state indicator variables are 
associated if the structure functions of any two coherent systems 
built from their corresponding components are positively correlated. 

35 

The added subscript CC indicates that £ut cancellation has 
been performed. 



36 



37 



Cf. the second part of the proof of Theorem 5.1. 



A detailed discussion of these bounds and proofs are given in 
Esary and Proschan [1963], Section 4, pp. 194-197. 

3 8 

The subscript PUB stands for phase upper bounds, and the sub- 
script PLB for phase .lower bounds. 

39 

The abbreviation 0.0 4 64 stands for 0.000064. 

40 

It is assumed here that all conditional component phase relia- 
bilities are strictly positive and less than one. 

41 

Terms which indicate a comparison are used here in the weak 
sense, i.e. "less" stands for "not more". 



42 
ler 
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Step (1) can be omitted if a general expression for the bound 
rather than a numerical value for it is needed. 



There exist computer programs which can perform this step. 
MOCUS, for instance, developed by Fussell, Henry, and Marshall [1974], 
is a program that finds the minimal cut sets of a system from its 
fault tree. 



44 



45 



Esary and Hayne [1973], Theorem 2.5, p. 12. 



Steps (2) and (3) of the algorithm are the same as in Example 
5.2 and not repeated here. 

46 

Interdependence among components may be caused, for instance, 
by common manufacturing processes or common operating conditions, or 
because the failure of one component increases the load on its neighbor. 



47 



48 



49 



For instance by Esary and Marshall [1974] . 

Cf. Remark 2.4 in Esary and Hayne [1973], p. 11. 

Equation (6.2.3) shows that for the particular mission considered 



E H 1 (D ) depends only on the first two moments of the random variable 

V 
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